Platform
wordpress
Component
xlsx-viewer
Fixed in
2.1.2
CVE-2025-23562 describes an Arbitrary File Access vulnerability within the XLSXviewer WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of XLSXviewer from 0.0.0 through 2.1.1 are affected. A fix is available in version 2.1.2.
The vulnerability stems from improper input validation, allowing an attacker to craft a malicious request that bypasses intended directory restrictions. Successful exploitation enables an attacker to read arbitrary files accessible to the web server process. This could include configuration files, database credentials, or other sensitive data. The potential blast radius extends to any data stored on the server accessible by the web user, posing a significant risk to data confidentiality. A successful attack could lead to data breaches, privilege escalation, and potential compromise of the entire WordPress instance.
CVE-2025-23562 was publicly disclosed on January 22, 2025. While no public proof-of-concept (PoC) has been released as of this writing, the path traversal nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the XLSXviewer plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. Monitor web server access logs for suspicious requests containing path traversal attempts. After upgrading, verify the fix by attempting to access a non-public file via a crafted URL; it should be denied.
Actualice el plugin XLSXviewer a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23562 is a vulnerability in the XLSXviewer WordPress plugin that allows attackers to read arbitrary files on the server due to improper path validation.
You are affected if you are using XLSXviewer versions 0.0.0 through 2.1.1 on your WordPress site. Check your plugin versions immediately.
Upgrade the XLSXviewer plugin to version 2.1.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules to block path traversal attempts.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for attacks. Monitor your systems closely.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.